Hi DocHelp,
we have seen client registering servicePrincipalNames like
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this
optional
part.
Testing against a Windows DC shows that only numeric characters are
allowed after
':'. It seems it doesn't need to be a valid tcp/udp port number. It
works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non
numeric :port
parts.
Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section
to be more detailed with what is and what is not allowed, maybe together
with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some
information,
but the following is a bit unclear to me:
MSSQLSvc/FQDN:[port|instancename]
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
MSSQLSvc/FQDN[:port][/instancename]
or
MSSQLSvc/FQDN[:port|/instancename]
It would be nice to get some hints what we have to implement.
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20160527/a28ab613/signature.sig>